Skip to content

feat(gh-workflows): add supply chain security scan gate#102

Draft
mateo-di wants to merge 1 commit into
carto/mainfrom
sc-543659/supply-chain-security-scan
Draft

feat(gh-workflows): add supply chain security scan gate#102
mateo-di wants to merge 1 commit into
carto/mainfrom
sc-543659/supply-chain-security-scan

Conversation

@mateo-di

Copy link
Copy Markdown
Collaborator

Summary

Add automated supply chain security scanning to the upstream sync pipeline, responding to the litellm v1.82.8 PyPI compromise (BerriAI/litellm#24512).

Story: sc-543659

What Changed

New: Supply chain security scan workflow

carto-supply-chain-security.yml — runs on every PR to carto/main with 5 security layers:

Layer Tool Catches
Source scan GuardDog (Datadog, OpenSSF) Obfuscated code, data exfiltration, .pth abuse, base64 payloads
Wheel allowlist Python script Any file outside litellm/ + dist-info/ (exact v1.82.8 attack vector)
Wheel scan GuardDog verify Malicious patterns inside the built wheel
CVE audit pip-audit (PyPA) Known vulnerable dependencies (advisory)
Structural checks Shell script setup.py introduction, non-PyPI deps, build hooks

Hardening: Pin GitHub Actions by SHA

All CARTO workflow files now use commit SHA pinning instead of tag-based pinning (@v4@<sha> # v4). This prevents tag hijacking attacks where an attacker replaces a tag with malicious code.

Hardening: Dockerfile wheel audit

Added inline wheel allowlist check after python -m build in the Dockerfile. Fails the Docker build if unexpected files (e.g., .pth) are found in the wheel.

Updated: Upstream sync PR template

Added a "Supply Chain Security" checklist section to the upstream sync PR body.

Updated: ci_cd/security_scans.sh

Added run_supply_chain_scans() function with GuardDog scan, wheel audit, and structural integrity checks.

Approach: "Allow known good" > "Block known bad"

Instead of hand-rolled grep patterns for specific attack vectors (reactive, whack-a-mole), we use:

  • GuardDog — battle-tested Semgrep rules that detect dozens of malicious patterns
  • Wheel allowlist — only litellm/ and litellm-*.dist-info/ files allowed (catches any future attack vector, not just .pth)
  • Both tools pinned by version to prevent self-compromise

Investigation Results

Our fork is confirmed NOT compromised:

  • Version: v1.81.9 (pre-dates the v1.82.8 attack)
  • Build: from source (python -m build in Dockerfile), never from PyPI
  • Sync: from GitHub source tags, not PyPI packages
  • Gate: manual PR review before anything reaches carto/main

AI-Generated Code Notice

  • This PR contains AI-generated code
  • Areas requiring extra verification: workflow YAML correctness, GuardDog integration

Add automated supply chain security scanning to the upstream sync pipeline,
responding to the litellm v1.82.8 PyPI compromise (BerriAI#24512).

New workflow (carto-supply-chain-security.yml) with 5 layers:
- GuardDog (Datadog/OpenSSF): Semgrep-powered malicious pattern detection
- Wheel allowlist audit: only litellm/ and dist-info/ files allowed
- GuardDog wheel verify: scan built wheel for malicious code
- pip-audit (PyPA): known vulnerability scanning (advisory)
- Structural integrity: setup.py guard, dependency source check

Additional hardening:
- Pin all GitHub Actions in CARTO workflows by commit SHA (prevent tag hijacking)
- Add wheel audit step to Dockerfile build (defense-in-depth at build time)
- Add supply chain security checklist to upstream sync PR body
- Add supply chain scan function to ci_cd/security_scans.sh

Co-authored-by: Claude <noreply@anthropic.com>
@mateo-di

Copy link
Copy Markdown
Collaborator Author

/gemini review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant